Cover and Decomposition Index Calculus on Elliptic Curves made - PowerPoint PPT Presentation

Cover and Decomposition Index Calculus on Elliptic Curves made practical Application to a previously unreachable curve over F p 6 Vanessa VITSE – Antoine JOUX Universit´ e de Versailles Saint-Quentin, Laboratoire PRISM Eurocrypt 2012 Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 1 / 21

Known attacks of the ECDLP Section 1 Known attacks of the ECDLP Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 2 / 21

Known attacks of the ECDLP Generalities on the DLP Discrete logarithm problem Discrete logarithm problem (DLP) Given a group G and g , h ∈ G , find – when it exists – an integer x s.t. h = g x Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 3 / 21

Known attacks of the ECDLP Generalities on the DLP Discrete logarithm problem Discrete logarithm problem (DLP) Given a group G and g , h ∈ G , find – when it exists – an integer x s.t. h = g x Difficulty is related to the group: 1 Generic attacks: complexity in Ω(max( α i √ p i )) if # G = � i p α i i 2 G ⊂ ( F ∗ q , × ): index calculus method with complexity in L q (1 / 3) where L q ( α ) = exp( c (log q ) α (log log q ) 1 − α ). 3 G ⊂ (Jac C ( F q ) , +): index calculus method better than generic attacks (if g > 2) Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 3 / 21

Known attacks of the ECDLP Generalities on the DLP The discrete logarithm problem on elliptic curves Use the group of points of an elliptic curve defined over a finite field (EC)DLP : given P , Q ∈ G , find (if it exists) x st Q = [ x ] P The group law is a good compromise between simplicity and intricacy − ( P + Q ) • Q • P • P + Q • Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 4 / 21

Known attacks of the ECDLP Generalities on the DLP The discrete logarithm problem on elliptic curves Use the group of points of an elliptic curve defined over a finite field (EC)DLP : given P , Q ∈ G , find (if it exists) x st Q = [ x ] P The group law is a good compromise between simplicity and intricacy Choice of the field: − ( P + Q ) • Prime field F p = Z / p Z : good security Q • but modular arithmetic difficult to implement in hardware P • Extension field F p n : interesting when p = 2 or p fits into a computer word P + Q • Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 4 / 21

Known attacks of the ECDLP Generalities on the DLP The discrete logarithm problem on elliptic curves Use the group of points of an elliptic curve defined over a finite field (EC)DLP : given P , Q ∈ G , find (if it exists) x st Q = [ x ] P The group law is a good compromise between simplicity and intricacy Choice of the field: − ( P + Q ) • Prime field F p = Z / p Z : good security Q • but modular arithmetic difficult to implement in hardware P • Extension field F p n : interesting when p = 2 or p fits into a computer word P + Q • Potentially vulnerable to index calculus Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 4 / 21

Known attacks of the ECDLP Generalities on the DLP Basic outline of index calculus methods (additive notations) 1 Choice of a factor base: F = { g 1 , . . . , g N } ⊂ G 2 Relation search: decompose a i · g + b i · h ( a i , b i random) into F N � a i · g + b i · h = c i , j · g j j =1 3 Linear algebra: once k independent relations found ( k ≥ N ) ◮ construct the matrices A = � � a i b i 1 ≤ i ≤ k and M = ( c i , j ) 1 ≤ i ≤ k 1 ≤ j ≤ N ◮ find v = ( v 1 , . . . , v k ) ∈ ker( t M ) such that vA � = 0 mod # G ◮ compute the solution of DLP: x = − ( � i a i v i ) / ( � i b i v i ) mod # G Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 5 / 21

Known attacks of the ECDLP Generalities on the DLP Index calculus Two difficulties : 1 From a practical point of view : linear algebra often the most delicate phase ◮ matrices are huge (several millions of unknowns) but very sparse (only a few non-zero coeff. per row) ◮ difficult to distribute dedicated algorithms 2 From a theoretical point of view : how to find relations? ◮ on E ( F p ), no known method ◮ on E ( F p n ), two existing methods: ⋆ transfer to Jac C ( F p ) via Weil descent ⋆ direct decompositions (Gaudry/Diem) Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 6 / 21

Known attacks of the ECDLP Generalities on the DLP Index calculus Two difficulties : 1 From a practical point of view : linear algebra often the most delicate phase ◮ matrices are huge (several millions of unknowns) but very sparse (only a few non-zero coeff. per row) ◮ difficult to distribute dedicated algorithms 2 From a theoretical point of view : how to find relations? ◮ on E ( F p ), no known method ◮ on E ( F p n ), two existing methods: ⋆ transfer to Jac C ( F p ) via Weil descent ⋆ direct decompositions (Gaudry/Diem) Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 6 / 21

Known attacks of the ECDLP Weil descent and cover attacks Transfer of the ECDLP via cover maps (Weil descent) Let W = W F qn / F q ( E ) be the Weil restriction of E | F qn elliptic curve. Inclusion of a curve C | F q ֒ → W induces a cover map π : C ( F q n ) → E ( F q n ). Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 7 / 21

� � � Known attacks of the ECDLP Weil descent and cover attacks Transfer of the ECDLP via cover maps (Weil descent) Let W = W F qn / F q ( E ) be the Weil restriction of E | F qn elliptic curve. Inclusion of a curve C | F q ֒ → W induces a cover map π : C ( F q n ) → E ( F q n ). 1 transfer the DLP from � P � ⊂ E ( F q n ) to Jac C ( F q ) Tr � Jac C ( F q ) C ( F q n ) Jac C ( F q n ) g genus of C π π ∗ s.t. g ≥ n E ( F q n ) Jac E ( F q n ) ≃ E ( F q n ) 2 use index calculus on Jac C ( F q ): → efficient if C is hyperelliptic with small genus g [Gaudry] or has a small degree plane model [Diem] Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 7 / 21

� � � Known attacks of the ECDLP Weil descent and cover attacks Transfer of the ECDLP via cover maps (Weil descent) Let W = W F qn / F q ( E ) be the Weil restriction of E | F qn elliptic curve. Inclusion of a curve C | F q ֒ → W induces a cover map π : C ( F q n ) → E ( F q n ). 1 transfer the DLP from � P � ⊂ E ( F q n ) to Jac C ( F q ) Tr � Jac C ( F q ) C ( F q n ) Jac C ( F q n ) g genus of C π π ∗ s.t. g ≥ n E ( F q n ) Jac E ( F q n ) ≃ E ( F q n ) 2 use index calculus on Jac C ( F q ): → efficient if C is hyperelliptic with small genus g [Gaudry] or has a small degree plane model [Diem] Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 7 / 21

� � � Known attacks of the ECDLP Weil descent and cover attacks Transfer of the ECDLP via cover maps (Weil descent) Let W = W F qn / F q ( E ) be the Weil restriction of E | F qn elliptic curve. Inclusion of a curve C | F q ֒ → W induces a cover map π : C ( F q n ) → E ( F q n ). 1 transfer the DLP from � P � ⊂ E ( F q n ) to Jac C ( F q ) Tr � Jac C ( F q ) C ( F q n ) Jac C ( F q n ) g genus of C π π ∗ s.t. g ≥ n E ( F q n ) Jac E ( F q n ) ≃ E ( F q n ) 2 use index calculus on Jac C ( F q ): → efficient if C is hyperelliptic with small genus g [Gaudry] or has a small degree plane model [Diem] Main difficulty : find a convenient curve C with a genus small enough Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 7 / 21

Known attacks of the ECDLP Weil descent and cover attacks The GHS construction Gaudry-Heß-Smart (binary fields), Diem (odd characteristic case) Given an elliptic curve E | F qn and a degree 2 map E → P 1 , construct a curve C | F q and a cover map π : C → E . Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 8 / 21

Known attacks of the ECDLP Weil descent and cover attacks The GHS construction Gaudry-Heß-Smart (binary fields), Diem (odd characteristic case) Given an elliptic curve E | F qn and a degree 2 map E → P 1 , construct a curve C | F q and a cover map π : C → E . Problem: for most elliptic curves, g is of the order of 2 n Index calculus on Jac C ( F q ) usually slower than generic methods on E ( F q n ) Possibility of using isogenies from E to a vulnerable curve [Galbraith] → increase the number of vulnerable curves Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 8 / 21

Known attacks of the ECDLP Decomposition attacks Decomposition attack Idea from Gaudry and Diem: no transfer, but apply directly index calculus on E ( F q n ) (or Jac H ( F q n )) Principle Factor base: F = { D Q ∈ Jac H ( F q n ) : D Q ∼ ( Q ) − ( O H ) , Q ∈ H ( F q n ) , x ( Q ) ∈ F q } Decomposition of an arbitrary divisor D ∈ Jac H ( F q n ) into ng divisors of the factor base D ∼ � ng i =1 (( Q i ) − ( O H )) Asymptotic complexity in q 2 − 2 / ng as q → ∞ Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 9 / 21